‘False positives’ render security software effectively useless

Douglas Crawford

Douglas Crawford

January 22, 2015

Security products such anti-virus software have a big problem – they aren’t always very good at deciding whether a problem has been detected, and require humans to decide how to deal with the situation.

The result is that human computer users are bombarded with unreliable warnings (known as ‘false positives’), which they are unqualified to deal with. This in turn results in them either turning down their security settings so they receive less warnings (while also making the software less effective), or simply ignore them.

Even when users are security experts qualified to assess the threat flagged up by a warning, turning on all a of program’s security features may result in a false positive paradox, where false positive results are statistically more likely than true positive results. Again, the result is even expert users’ dialing down security settings or ignoring warnings.

A new survey by market research company the Ponemon Institute highlights this problem, finding that,

In a typical week, organizations receive an average of nearly 17,000 malware alerts; only 19% are deemed reliable – or worthy of action. Security teams are unnecessarily consumed by activity that pose no threat to their data security, which can distract them from dealing with threats that can lead to compromise. Compounding the problem, respondents believe their prevention tools miss 40% of malware infections in a typical week. The longer malware goes undetected, the greater the risk of a breach.

The result is ‘that enterprises spend $1.3 million a year dealing with false positive cyber security alerts, which equals nearly 21,000 hours in wasted time.’

Unfortunately, ignoring security warnings can also be very costly. In 2013 US retailing giant Target became victim of cybercrooks who installed malware into its systems. The FireEye security system used by Target did flag up an alert, but this was ignored, resulting in the theft of 40 million consumer credit card numbers, and personal information on 70 million customers. The affected banks have now been given the go-ahead to sue Target for negligence.

Brian Foster is chief technology officer at network-security firm Danballa, who commissioned the report. He concludes that,

These findings confirm not only the sheer scale of the challenge for IT security teams in sifting out the real threats from tens of thousands of false alarms, but also the huge financial impact in terms of time. The severity and frequency of attacks is growing, which means that teams need a way to focus on responding to true positive infections if they are to get a firmer grip on their security posture…. It’s more important than ever for teams to be armed with the right intelligence to detect active infections to reduce their organization’s risk exposure and make the best use of their highly-skilled, limited security resources.

Foster’s believes that the industry needs to change, and that companies should invest in additional software systems which allow one or more programs to corroborate the findings of other programs (but then as this involves companies buying more security software, he would say this!)

Find ways to corroborate those alerts. Try to get at the problem from multiple angles instead of relying on a single silver bullet.

Unfortunately for home users, there is no easy solution (at least until AI’s take over the world!)

Douglas Crawford

I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. You can now follow me on Twitter - @douglasjcrawf.

2 responses to “‘False positives’ render security software effectively useless

  1. So we need to whitelist and sandbox. Tools like Sandboxie, and Windows’ AppLocker (not available on home versions, unfortunately) will pretty much guarantee a secure environment.

    It means we’re back to the early days, when users of ZoneAlarm (a firewall) were constantly deciding whether or not programs should be allowed to send information out – or receive incoming data. Of course, one expects that modern efforts will be an improvement on ZoneAlarm’s “Do you want SUDELTA32.DLL to receive information?”, and then had to figure out yourself what on Earth SUDELTA32.DLL was.

    1. Hi Stephan.

      Indeed. I will look further into Windows Applocker, but while Sandboxie is useful (I run it all the time), in my experience it fails as often as it succeeds in Sandboxing programs, which limits its utility somewhat. Another option is to only download and run/open those downloaded programs or files inside a virtual machine (VM). I feel that an article on this subject might be good idea.. :).

Leave a Reply

Your email address will not be published. Required fields are marked *

Exclusive Offer
Get NordVPN for only
Get NordVPN for only